Show random questions here?
Submit Media Login Join Now

๐Ÿ”’ Privacy Policy

Last Updated: April 10, 2026

๐Ÿ‡ช๐Ÿ‡บ GDPR Compliance

RateMyBody operates in Finland and complies with the General Data Protection Regulation (GDPR) and Finnish Data Protection Act. This privacy policy explains how we collect, use, and protect your personal data in accordance with EU law.

Data Controller: RateMyBody, Finland

Legal Basis for Processing: Consent, contract performance, legal obligations, and legitimate interests

๐Ÿ“‹ Table of Contents

  1. 1. Information We Collect
  2. 2. How We Use Your Information
  3. 3. Data Retention
  4. 4. Data Sharing
  5. 5. Your Rights Under GDPR
  6. 6. Security
  7. 7. International Data Transfers
  8. 8. Cookies and Tracking Technologies
  9. 9. Legal Basis for Processing
  10. 10. Data Protection Officer
  11. 11. United States Privacy Rights
  12. 12. Contact Us
  13. 13. Children's Data Processing
  14. 14. Data Breach Notification

1. Information We Collect

1.1 Account Information

  • Username and display name
  • Email address
  • Password (encrypted)
  • Date of birth
  • Gender and country
  • Profile information and bio

1.2 Uploaded Content

  • Photos, images, and videos you upload (up to 25 files at once)
  • Photo and video titles and descriptions
  • Category selections
  • Upload timestamps
  • Video thumbnails (auto-generated)

1.3 Activity Data

  • IP addresses
  • Browser type and version
  • Device information
  • Pages visited and actions taken
  • Ratings and votes given
  • Login times and session data

1.4 Third-Party Login Data (OAuth)

If you log in via Google or X (Twitter), we receive:

  • Your name and email address from the provider
  • Your profile picture (used as avatar if you don't have one)
  • A unique identifier from the provider (Google ID or X/Twitter ID)

We do not receive your Google or X password, and we do not post to your accounts or access your contacts.

1.5 Verification Data

If you choose to verify your identity, we collect:

  • A photo of you holding a paper sign with your username, the site name, and the current date
  • The timestamp of your verification submission
๐Ÿ”’ Verification Photo Privacy

Verification photos are never visible to other users. They are stored securely and accessible only to administrators for review purposes. We do not require government-issued identification documents.

1.6 Messaging and Chat Data

  • Private messages sent and received between users (content, timestamps, sender/recipient IDs)
  • Profile comments left on user profiles
  • Message report submissions and outcomes
๐Ÿ” Message Monitoring — What We Scan and Why

Private messages on RateMyBody are not read by staff on a routine basis. However, messages are subject to the following forms of monitoring, all of which are disclosed here in accordance with the EU ePrivacy Directive and GDPR:

  • Automated content scanning (all messages): An AI-assisted system scans all private message content automatically for patterns associated with grooming, sexual solicitation of minors, CSAM links, harassment, and illegal content. This is lawful under EU Regulation 2021/1232 (the temporary derogation from ePrivacy Directive confidentiality for CSAM detection) and under GDPR Art. 6(1)(c) legal obligation. The system does not produce individual human-readable reports on normal conversations — it flags specific patterns for review
  • Automated scanning of threads involving minor accounts (all such threads): Any message thread where one party is a registered minor (under 18) is subject to enhanced automated monitoring for grooming, escalation patterns, off-platform luring, and sexual solicitation. This is our strongest legal obligation under Finnish Criminal Code Chapter 20 §8a and EU Directive 2011/93/EU
  • Human review of flagged threads: When the automated system flags a conversation, or when a user submits a report, a designated staff member reads the flagged thread. For threads involving a minor account, only Safeguarding Leads (account level 50+) may conduct this review. Human review is proportionate — it is triggered by a flag or report, not applied randomly to all messages
  • Human review on valid legal request: If we receive a valid court order, law enforcement request, or other lawful legal process requiring us to disclose specific message content, we comply. We will notify you of such a request unless prohibited by law from doing so

What we do NOT do: We do not routinely read or manually review every private message. Staff do not access your message history out of personal curiosity. Bulk, indiscriminate manual reading of private messages with no legal basis would violate the ePrivacy Directive and is not our practice.

Legal bases: EU Regulation 2021/1232 (CSAM scanning); GDPR Art. 6(1)(c) legal obligation; GDPR Art. 6(1)(f) legitimate interests (safety, abuse prevention); Finnish Criminal Code Chapter 20 §8a (grooming prevention duty); 18 U.S.C. §2258A (NCMEC mandatory reporting).

1.7 Random Video Chat (Omegle) Data

๐Ÿ“น Video Chat Privacy

When you use the random video chat (Omegle) feature, we collect:

  • Session metadata (connection timestamps, duration, partner matching records)
  • Text chat messages exchanged during sessions
  • Report data including thumbnail screenshots captured at the time of a report
  • IP addresses and WebRTC connection data
  • Moderation actions (bans, warnings) and their reasons

Live stream transmission: Video and audio are transmitted peer-to-peer (WebRTC) directly between you and the other user — we do not route or store your live stream in real time. However, RateMyBody may capture brief moderation recordings (short clips or snapshots) triggered by user reports, automated conduct detection, or random moderation sampling. These clips are accessed only by authorised moderation staff, retained for a maximum of 30 days unless required for an active investigation, and are never shared publicly. See Terms of Service Section 6.13 for full details. The other party may also independently record your stream outside of our control — participate at your own risk.

1.8 Games Data

  • Game scores and play history (e.g., Super Mario leaderboard entries)
  • Truth or Dare answers and responses you submit
  • Game session timestamps and participation records

1.9 Point Shop and Transaction Data

  • Point Shop purchase history (items purchased, points spent, timestamps)
  • Virtual item inventory and usage (e.g., applied profile backgrounds)

1.10 Donation Data

  • Donation amounts and timestamps
  • Donor username (may be displayed publicly on the donation progress tracker)
  • Payment is processed by third-party providers โ€” we do not store your credit card number, bank details, or full payment credentials

1.11 Friends and Social Data

  • Friend requests sent and received
  • List of accepted friendships
  • Friendship status (visible on profiles to other users)

1.12 Event and Seasonal Feature Data

  • Content uploaded during seasonal events (e.g., April Fools photo gallery)
  • For guest event uploads: IP address, user agent string, and session identifiers
  • Event participation timestamps and view counts

1.13 IP Sharing and Multi-Account Detection

๐Ÿ” IP Address Tracking

We log all IP addresses used to access your account. This data is used to:

  • Detect multi-account usage and enforce Terms of Service
  • Identify suspicious login patterns for security
  • Provide you with an overview of accounts sharing your IP (visible on the IP Sharing page)

Other users who share an IP address with you may see your username listed on their IP Sharing page. This feature exists for transparency and abuse prevention.

1.14 Voting and Interaction Data

  • Photo and video ratings (1โ€“10 scale)
  • Hot or Not votes
  • Favorites and saved content
  • Points earned through site activity

1.15 EXIF Data and Embedded Metadata

๐Ÿ“ท Photo Metadata Processing

When you upload photos, we may extract and process embedded EXIF (Exchangeable Image File Format) metadata, which can include:

  • Camera make and model
  • Date and time the photo was taken
  • GPS coordinates (latitude, longitude) if location services were enabled
  • Image resolution, orientation, and technical settings

GPS Data: If your photo contains GPS coordinates, we may use this data for location-based features or to verify content authenticity. We strip GPS data from publicly displayed images to protect your location privacy. However, the original metadata may be retained in our storage for moderation and legal compliance purposes.

How to prevent metadata collection: Remove EXIF data from your photos before uploading using your device settings or a metadata removal tool.

See Terms of Service ยง6.19 for full details on EXIF data handling.

1.16 Photo Boosting and Purchasing Data

  • Photo boost purchase history (which photos were boosted, timestamps, points spent)
  • Photo purchase history (photos purchased from other users, timestamps, points spent)
  • Boost performance data (views gained during boost period)

2. How We Use Your Information

  • To provide and maintain our service
  • To verify age requirements
  • To prevent fraud and abuse
  • To enforce our Terms of Service
  • To comply with legal obligations
  • To improve user experience
  • To communicate with you about your account
  • To promote and grow the service (for example, featuring publicly posted content in promotional materials as described in our Terms of Service)
  • To operate automated content moderation systems (see Section 2.1)
  • To verify user identities through our verification system
  • To calculate leaderboard rankings and award points
  • To operate the Hot or Not voting feature
  • To detect and prevent duplicate or previously-removed content
  • To facilitate random video chat (Omegle) matching and moderation
  • To operate games, leaderboards, and interactive features
  • To process Point Shop purchases and manage virtual item inventories
  • To process and display donation contributions
  • To detect multi-account usage via IP address correlation
  • To operate seasonal and event features (e.g., April Fools gallery)

2.1 Automated Processing and AI Moderation

๐Ÿค– Automated Decision-Making (GDPR Article 22 / EU AI Act)

We use AI-powered systems to assist with content moderation. These systems automatically process your uploaded photos and videos to:

  • Classify content categories: Determine appropriate age-gating (Safe Content 13+ or Adult Content 18+)
  • Detect potential minors: Flag content that may depict underage individuals for human review
  • Identify content characteristics: Analyze visible body parts and content type
  • Perceptual hashing: Create digital fingerprints of images to detect duplicates and previously-removed content

Your Rights: You have the right not to be subject to decisions based solely on automated processing that significantly affect you. All automated moderation decisions that result in content removal or restriction are subject to human review. You may contest any automated decision by contacting us.

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR) for protecting users and complying with child safety laws.

3. Data Retention

We retain your data:

  • Account data: Until you delete your account
  • Uploaded content: Until you delete it or we remove it for a policy violation
  • Verification photos: Retained for the duration of your account; deleted upon account deletion
  • Messages and chat: Until you or the other party deletes them, or upon account deletion
  • IP logs: For security and legal compliance (typically 90 days to 1 year)
  • Session data: Active sessions expire after inactivity; historical data retained up to 90 days
  • Deleted content: May remain in backups for up to 90 days
  • Legal hold data: Retained as required by law or valid legal process
  • Perceptual hashes: Retained indefinitely to prevent re-upload of removed content

4. Data Sharing

We do not sell your personal information.

We may share your information only in the following circumstances:

  • Law enforcement: When required by valid legal process
  • Safety: To prevent harm or illegal activity
  • CSAM reports: Required reporting to NCMEC and authorities
  • Service providers: Trusted partners who assist in operating our service

5. Your Rights Under GDPR

As an EU-based service, we provide you with comprehensive data protection rights:

5.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, access to that data and information about the processing.

5.2 Right to Rectification (Art. 16 GDPR)

You have the right to obtain the rectification of inaccurate personal data and to have incomplete data completed.

5.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right to request deletion of your personal data without undue delay where:

  • The data is no longer necessary for the purposes collected
  • You withdraw consent and there is no other legal ground for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased for compliance with a legal obligation

Note: This right may be limited where retention is necessary for legal compliance, establishment of legal claims, or other lawful purposes.

5.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to restrict processing of your personal data in certain circumstances.

5.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.

5.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

5.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw consent at any time.

5.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, particularly in your country of residence, workplace, or where an alleged infringement occurred.

Finnish Data Protection Authority:
Office of the Data Protection Ombudsman
Website: tietosuoja.fi
Email: tietosuoja@om.fi

How to Exercise Your Rights

To exercise any of these rights, contact us using our Privacy Request Form or Data Protection Officer

We will respond to your request within one month as required by GDPR (extendable by two additional months for complex requests).

6. Security

We implement industry-standard security measures including:

  • Encrypted passwords using Argon2ID
  • Secure HTTPS connections
  • Regular security audits
  • Access controls and monitoring

7. International Data Transfers

Data Location: Your data is primarily stored on servers located in Finland (EU).

If we transfer your data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the EU Commission
  • Adequacy decisions by the EU Commission
  • Your explicit consent where required

Currently, data processing occurs within the EU and we do not routinely transfer data outside the EEA.

8. Cookies and Tracking Technologies

Cookie Consent: In compliance with the EU ePrivacy Directive (Cookie Law), we obtain your consent before placing non-essential cookies.

We use cookies for:

  • Strictly Necessary Cookies: Session management, authentication, security (no consent required)
  • Guest Identification Cookie (guest_id): Used to track guest uploads and prevent duplicate voting without an account (strictly necessary for service operation)
  • Functional Cookies: User preferences and settings (consent required)
  • Performance Cookies: Analytics and site improvement (consent required)

You can manage your cookie preferences at any time through your browser settings or our cookie consent banner.

9. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

  • Consent (Art. 6(1)(a) GDPR): For optional features and marketing communications
  • Contract Performance (Art. 6(1)(b) GDPR): To provide our service to you
  • Legal Obligations (Art. 6(1)(c) GDPR): For age verification, CSAM reporting, and compliance with Finnish/EU law
  • Legitimate Interests (Art. 6(1)(f) GDPR): For security, fraud prevention, abuse prevention, and service improvement
  • EU Regulation 2021/1232 (ePrivacy CSAM Derogation): This regulation provides a specific temporary derogation from the confidentiality provisions of the ePrivacy Directive, authorising online platforms to voluntarily use technology to detect, report, remove, and disable access to CSAM in electronic communications including private messages. Our automated message scanning for CSAM and grooming patterns operates under this legal framework

10. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance.

To contact our DPO or submit privacy requests, please use our Contact Form and select the appropriate category (DPO, GDPR, or Privacy Request).

11. United States Privacy Rights

๐Ÿ‡บ๐Ÿ‡ธ US User Privacy Rights

While RateMyBody operates from Finland under EU law, we respect the privacy rights of our US users:

California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have the right to:

  • Know: Request disclosure of personal information collected about you
  • Delete: Request deletion of your personal information
  • Opt-Out: Opt out of the sale of personal information (Note: We do not sell personal information)
  • Non-Discrimination: Not be discriminated against for exercising your privacy rights
  • Correct: Request correction of inaccurate personal information
  • Limit: Limit use and disclosure of sensitive personal information

To exercise these rights, contact us using our California Privacy Request Form

Other US State Privacy Laws

We also respect privacy rights under:

  • Virginia CDPA: Virginia Consumer Data Protection Act
  • Colorado CPA: Colorado Privacy Act
  • Connecticut CTDPA: Connecticut Data Privacy Act
  • Utah UCPA: Utah Consumer Privacy Act

Residents of these states have similar rights to access, delete, correct, and opt-out of data processing.

Federal Privacy Protections

  • COPPA: We comply with the Children's Online Privacy Protection Act. We do not knowingly collect personal information from children under 13. Users must be at least 13 years old to use the Service. If we become aware that a child under 13 has provided personal information, we will promptly delete it.
  • CAN-SPAM: All marketing emails include opt-out mechanisms and comply with the CAN-SPAM Act.
  • TCPA: We do not send unsolicited SMS messages and comply with the Telephone Consumer Protection Act.

12. Contact Us

Data Controller: RateMyBody, Finland

For all privacy-related inquiries, please use our Contact Form and select the appropriate category:

  • Privacy inquiries: Select "Privacy / GDPR Request"
  • Data Protection Officer: Select "Data Protection Officer (DPO)"
  • GDPR requests: Select "Privacy / GDPR Request"
  • California/CCPA requests: Select "California Privacy Rights (CCPA)"
  • DMCA/Copyright: Select "DMCA / Copyright Takedown"

For all inquiries, you can also use our Contact Form.

Legal Entity: RateMyBody operates in Finland under EU law. We do not maintain a public postal address for privacy and security reasons. All communications should be conducted via our contact form.

๐Ÿ“š Related Legal Documents & Resources

13. Children's Data Processing

๐Ÿ”’ Data Processing for Users Under 18

RateMyBody accepts users aged 13 and older. We take special care with the personal data of users under 18:

  • Minimum age: Users must be at least 13 years old to create an account. We do not knowingly collect personal information from children under 13. If we discover data from a user under 13, we will promptly delete it and terminate the account (see also COPPA compliance in Section 11.3)
  • GDPR Age of Consent for Digital Services (Art. 8): Under GDPR, children below the age of 16 (or lower where a member state has legislated, but no younger than 13) require parental consent for processing based on consent. Finnish law sets this threshold at 13. For users aged 13โ€“15, we rely on legitimate interests and contract performance as legal bases rather than consent alone
  • Enhanced protections: Minor users (under 18) are subject to enhanced safeguarding measures including restricted content visibility, enhanced automated monitoring of messages for grooming patterns, and routing of all minor-related moderation to designated Safeguarding Leads only
  • No behavioural profiling: We do not profile minor users for advertising, marketing, or behavioural targeting purposes. Any advertisements shown are contextual only
  • Data minimisation: We collect only the minimum data necessary from minor users to operate the service safely
  • Parental access: Parents or legal guardians of users under 16 may request access to, rectification of, or erasure of their child's data by contacting our Data Protection Officer

For complete information about our minor protection measures, see our Minor Protection Policy and Terms of Service ยง3 (Prohibited Content).

14. Data Breach Notification

๐Ÿ”” Breach Notification Procedure

In the event of a personal data breach, we follow GDPR Article 33 and Article 34 procedures:

  • Supervisory authority notification: We will notify the Finnish Data Protection Ombudsman within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms (Art. 33 GDPR)
  • User notification: If a breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay (Art. 34 GDPR). Notification will be sent to your registered email address and/or via a prominent notice on the platform
  • Breach notification content: Notifications will include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach
  • Internal breach register: We maintain a Record of Processing Activities (ROPA) that includes documentation of all personal data breaches, their effects, and remedial actions taken, regardless of whether notification to the supervisory authority was required

Log in to accept or deny this policy.

Login
๐Ÿ‘๏ธ 123 views (118 unique)